This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 77%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Why does MSExchangeHMWorker.exe use clear Texen and how can I solve this issue?
This log is related to this service:
LogName=Security
EventCode=4624
EventType=0
ComputerName=*******
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=3745106803
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: *
Account Domain: *
Logon ID: 0x3E7
Logon Information:
Logon Type: 8
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: **
Account Name: HealthMailbox9114d76
Account Domain: *
Logon ID: 0x1903D9441
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {63624362-9c4c-0506-1390-edf73bc515d5}
Process Information:
Process ID: 0x2c7c
Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
Network Information:
Workstation Name: *
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
In Splunk, this log is fired for the so-and-so rule
I want to know why this service uses cleartext (logon type=8)
Is it a security issue? How do I fix it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 91%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hi @fahimeh firouzbakht,
Welcome to the Microsoft Q&A platform!
The MSExchangeHMWorker.exe process is a part of the Microsoft Exchange Server Health Manager service, and it's responsible for monitoring and maintaining the health of Exchange services. The event you're seeing in the security log (Event ID 4624) with Logon Type 8 indicates a "NetworkCleartext" logon, which means that the user's credentials were passed in cleartext over the network. While it's concerning to see cleartext authentication, there are a few things to consider:
MSExchangeHMWorker.exe process operates within the context of internal server operations. If your Exchange server is properly segmented from public networks and only accessible by trusted internal systems, this might be less of an immediate concern.To address this potential issue, you can take the following steps:
Set-ReceiveConnector "Your Receive Connector Name" -AuthMechanism TLS Set-SendConnector "Your Send Connector Name" -RequireTLS $true
Please feel free to contact me if you have any queries.
Best,
Jake Zhang
Hi @fahimeh firouzbakht,
If this answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Best,
Jake Zhang
@Jake Zhang-MSFT Thank you very much for your reply
Another question I have is how can I set the authentication settings for this server to Kerberos?
Please explain to me the steps of this work.
Hi @fahimeh firouzbakht,
Thanks for your response.
Setting up Kerberos authentication for a server involves several steps. Here's a general outline you can follow, but keep in mind that specifics can vary depending on the type of server and operating system you are using. I'll provide a basic overview for a Linux environment, as Kerberos is most commonly used in such settings:
Make sure you have the Kerberos client and server packages installed on your system. On a Debian-based system, you can use:
sudo apt-get install krb5-user krb5-kdc krb5-admin-server
For Red Hat-based systems, use:
sudo yum install krb5-workstation krb5-libs krb5-server
You'll need to edit the Kerberos configuration file, typically located at /etc/krb5.conf. Here's a basic example:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Replace EXAMPLE.COM and kerberos.example.com with your actual domain and Kerberos server.
Configure the KDC by editing /etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 88
[realms]
EXAMPLE.COM = {
database_name = /var/krb5kdc/principal
admin_keytab = /var/krb5kdc/kadm5.keytab
acl_file = /var/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /var/krb5kdc/.k5.EXAMPLE.COM
kdc_ports = 88
}
Initialize the Kerberos database:
sudo krb5_newrealm
Add a principal (the server) to the Kerberos database. For example, for a web server:
sudo kadmin.local -q "addprinc -randkey HTTP/server.example.com"
Generate a keytab file for the server:
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab HTTP/server.example.com"
The specific steps for this will vary depending on the type of server. For example, if you're configuring Apache HTTP Server, you would typically use the mod_auth_kerb module.
For an example in Apache, edit your configuration file (/etc/httpd/conf.d/kerberos.conf):
<Location "/secure">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
Restart the necessary services to apply changes. For the KDC:
sudo systemctl restart krb5-kdc
sudo systemctl restart krb5-admin-server
For the server you're configuring (e.g., Apache):
sudo systemctl restart httpd
This is a simplified guide and might require additional steps or customization based on your specific environment and requirements.
Please feel free to contact me if you have any queries.
Best,
Jake Zhang
Hi @jake zhang
Thank you for your good response.